4. Operate Running Systems
πRed Hat Certified System Administrator (RHCSA β EX200)
In this section, you must understand how to store and manage system logs permanently using the system journal service in Red Hat Enterprise Linux.
On the RHCSA exam, you may need to:
- Configure system journals to be stored permanently.
- Control how much disk space journals use.
- Manually manage or rotate journal logs.
- Verify journal configuration.
This topic is based on the systemd journal service, which is:
- systemd
- systemd-journald
1. What Is the System Journal?
In Red Hat Enterprise Linux (RHEL 8 and RHEL 9), logging is handled by systemd-journald.
It collects log messages from:
- The Linux kernel
- System services
- Applications
- Boot process
- User sessions
These logs are stored in a structured binary format.
You use the journalctl command to read them.
2. Temporary vs Persistent Journals
This is the most important concept for the exam.
Temporary (Volatile) Journals
By default, the journal may store logs in:
/run/log/journal
This location is in memory (RAM).
This means:
- Logs are lost after reboot.
- They do NOT survive system restart.
This is called volatile logging.
Persistent Journals
To preserve logs after reboot, journals must be stored on disk in:
/var/log/journal
This is called persistent logging.
Logs remain available:
- After reboot
- For troubleshooting
- For auditing
- For security investigations
For RHCSA, you must know how to enable persistent logging.
3. How to Enable Persistent Journals
Step 1: Create the Journal Directory
If /var/log/journal does not exist, create it:
sudo mkdir -p /var/log/journal
Step 2: Set Proper Permissions
sudo systemd-tmpfiles --create --prefix /var/log/journal
This ensures correct ownership and permissions.
Step 3: Restart systemd-journald
sudo systemctl restart systemd-journald
Now logs will be stored permanently.
Alternative Method (Using Configuration File)
Edit the journald configuration file:
/etc/systemd/journald.conf
Find:
#Storage=auto
Change it to:
Storage=persistent
Then restart:
sudo systemctl restart systemd-journald
4. Verifying Persistent Logging
To confirm persistent storage:
ls /var/log/journal
If directory contains files, logging is persistent.
You can also test:
journalctl --list-boots
If previous boots are listed, persistence is working.
5. Managing Journal Size (Very Important for Exam)
System journals can grow large. You must control disk usage.
This is configured in:
/etc/systemd/journald.conf
Important parameters:
| Setting | Purpose |
|---|---|
| SystemMaxUse= | Maximum disk space journal can use |
| SystemKeepFree= | Minimum free disk space to maintain |
| SystemMaxFileSize= | Maximum size of each journal file |
| RuntimeMaxUse= | Memory usage limit for volatile logs |
Example:
SystemMaxUse=500M
After changes:
sudo systemctl restart systemd-journald
6. Manual Journal Cleanup
You can manually remove old logs.
Check disk usage:
journalctl --disk-usage
Remove logs older than specific time:
sudo journalctl --vacuum-time=2weeks
Remove logs exceeding size:
sudo journalctl --vacuum-size=200M
Remove logs keeping only specific number of files:
sudo journalctl --vacuum-files=5
These commands are very important for RHCSA.
7. Journal Log Rotation
Journals rotate automatically when:
- File reaches maximum size
- Disk usage limit is reached
You can force rotation:
sudo journalctl --rotate
Then vacuum old logs if needed.
8. Journal Storage Locations
You must know both:
| Type | Location |
|---|---|
| Volatile | /run/log/journal |
| Persistent | /var/log/journal |
Exam may ask you to configure or verify this.
9. Journal Permissions and Security
Journal files are owned by:
root:systemd-journal
Users must belong to systemd-journal group to read logs without sudo:
sudo usermod -aG systemd-journal username
Then user must log out and log in again.
10. Relationship with rsyslog
In RHEL, journald can forward logs to:
- rsyslog
rsyslog stores traditional text logs in:
/var/log/
For RHCSA:
- Know journald is primary.
- rsyslog may still be active.
- Journald can forward logs to syslog.
11. Important journalctl Commands (Quick Revision)
| Command | Purpose |
|---|---|
| journalctl | View all logs |
| journalctl -b | Logs from current boot |
| journalctl -b -1 | Previous boot |
| journalctl -u service | Logs for a service |
| journalctl -f | Live log view |
| journalctl –disk-usage | Check size |
| journalctl –vacuum-time= | Remove old logs |
12. IT Environment Usage (Practical Understanding)
In IT environments, preserving journals is important for:
- Investigating service failures
- Analyzing why a server failed to boot
- Checking security-related events
- Tracking unauthorized access attempts
- Monitoring application crashes
- Performing audit reviews
If logs disappear after reboot, troubleshooting becomes difficult. That is why persistent logging is required in production servers.
13. What the RHCSA Exam Really Tests
For this section, focus on:
β Enabling persistent journaling
β Editing /etc/systemd/journald.conf
β Restarting journald service
β Checking disk usage
β Cleaning old logs
β Verifying previous boot logs
β Understanding storage locations
You will not be asked theory questions. You must perform configuration tasks correctly.
14. Common Mistakes to Avoid
β Forgetting to restart systemd-journald after configuration
β Editing wrong file
β Not creating /var/log/journal directory
β Not verifying logs after reboot
β Setting disk limit but not testing
15. Quick Exam Checklist
Before finishing the task in exam:
- Is
/var/log/journalcreated? - Is
Storage=persistentconfigured? - Did you restart systemd-journald?
- Does
journalctl --list-bootsshow previous boots? - Is disk usage limited properly?
If all are correct, you are safe for this objective.
Final Summary
To preserve system journals in RHCSA:
- Understand volatile vs persistent logs.
- Enable persistent storage in
/var/log/journal. - Configure limits in
/etc/systemd/journald.conf. - Use
journalctlto manage and clean logs. - Restart journald after changes.
- Verify logs survive reboot.
Master these commands practically, and you will confidently pass this section of the RHCSA exam.
